11 September 2017

AWS Cloud – firewalls, load balancers, WAF …

I’ve
worked with firewalls,
load
balancers, WAFs,
SIEM
products, etc
and I've installed them both physical and virtual appliances. I’ve
also worked with cloud providers like OVH,
Arsys,
Bluehost,
etc but none of them are like AWS
Cloud because Amazon has changed the
way we see this IT world with many services and
easy payments
where we pay as we use. However, installing
network or security appliances into the Amazon Cloud, at first, it’s
not an easy task because we have to change
our mind to the Amazon World where, for instance, all traffic is
unicast and the ARP protocol is gone.

The
first time I take the plunge to use AWS Cloud was to install a
firewall with VPN and IDS/IPS services with three simple networks.
This, although it seems easy and simple,
needs lots of hours of reading and understanding the Amazon World
because, first, they already
have VPN services like AWS
Direct Connect or AWS
VPN CloudHub, second,
they have also Security services like EC2
Security Groups and Network
ACLs, third,
there is no SPAN ports or mirroring ports
for IDS, forth, there is no VLANs but
Virtual Private Clouds
(VPC) and subnets, as you can see, we have
to adapt our infrastructure and knowledge to the Amazon World if we
want to use AWS Cloud.

EC2 Security Group

Another
common task is to install a load balancer for better performance and
availability of web services. Again, AWS
Cloud has their own load balancers like Application
Load Balancer (ALB) and Classic
Load Balancer (CLB) into the Elastic
Load Balancing (ELB) service. This
is an “easy” way to balance our traffic between virtual machines,
also called EC2 instances, and even configuring SSL offloading with
AWS Certificate Manager (ACM)and AWS
Identity and Access Management (IAM).Auto Scalingconfiguration is also a must for
a quickly and easy growth. What’s more, GSLB
is also an option thanks to Amazon Route
53 where we can have high availability
between different AWS regions.

Cross-Zone Load Balancing

If
we want to protect our web services against
layer 7 attacks
like SQLi, XSS or CSRF,
we’ll need to install a WAF as well. Once
again, Amazon has his own AWS WAF,
which is useful to mitigate OWASP’s top 10 Web Application
Vulnerabilities and it is integrated perfectly with ELB (Elastic Load
Balancing) and Amazon CloudFront
for delivering highly available and secure web services through the
Content Delivery Network (CDN) of Amazon. In addition, we can also
protect our services against layer 3/4 attacks withAWS Shield
to mitigate, for example, DDoS attacks.

Web site with Amazon CloudFront and AWS WAF

As
we can see, there are many Amazon services and
there are many more like AWS Directory
Service, Amazon EBS, Amazon S3, AWS KMS, Amazon RDS, AWS CloudTrail,
etc. However, we can alsoinstall
commercial solutions of Fortinet, Check Point, F5 Networks, Radware,
Alienvault, etc into the AWS Cloud.
Therefore, we can
search Amazon Machine Images
(AMI) from AWS
Marketplace to install commercial
products into the Amazon Cloud.

AWS Marketplace

Today, AWS
Cloud has many services, many customers and lots of guide and docs to
deliver our services in a reliable way, meanwhile, we’ll see how
Google and Microsoft do their homework to eat a piece of this cake.